This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

The problem is that the bean security bean needs to be created after the MVC beans are, otherwise spring-security doesn't care about the @Secured annotation.

No it doesn't... You simply need to add the appropriate configuration to your servlets contexts (it is all about proxy creating so I suggest a read of the AOP chapter in the reference guide). Simply put in all servlet context file the element that enables the @Secured (http:global-method-security />).

Comment

No it doesn't... You simply need to add the appropriate configuration to your servlets contexts (it is all about proxy creating so I suggest a read of the AOP chapter in the reference guide). Simply put in all servlet context file the element that enables the @Secured (http:global-method-security />).

Thank you very much, it seems to solve the problem. I read another post that said the opposite, spring source forum is definitely a better source

However, when I put this code in my context :

Code:

<security:global-method-security secured-annotations="enabled" />

I see this exception :

Code:

javax.servlet.ServletException: No adapter for handler ..

It is working when I remove global-method-security (without security though...)

Which is indeed a problem (which should be fixe in Spring 3.1). There is a proxy being created for your controller and due to that the @Controller and/or @RequestMapping annotation isn't found anymore. If I'm not mistaken this is fixed in Spring 3.1

Comment

Updating to spring 3.1 actually gave me more details about the exception causes and it happened that I had an ExceptionHandler that was declaring handleException for the same exception twice, plus I needed to had proxy-target-class="true" to the global-security tag because I am using interfaces.

Comment

You simply need to add the appropriate configuration to your servlets contexts... Simply put in all servlet context file the element that enables the @Secured (http:global-method-security).

@Marten - is it enough to simply define <http:global-method-security/> in the ROOT app-context loaded by ContextLoaderListener or does it need to also be defined in each WEB app-context loaded by DispatcherServlet?

No... Each context needs to have this (not each xml file all the xml files make up one context). The namespace registers Bean(Factory)PostProcessor and those operate only on the context in which they are defined.